New in Repo – Repository Routing Helps Protect Against Dependency Hijacking Attacks

Nexus Repository Manager 3.17 introduces a new feature that allows organizations to better protect their supply chain dependencies against hijacking attacks. This new feature, known as Repository Routing, allows an administrator of a Nexus Repository Manager instance to apply certain routing rules when making requests to upstream repositories.

Cybersecurity Live - Boston

To preface this discussion, let’s go over the types of repositories that exist within NXRM.

  • First, we have Proxy Repositories which allow for the proxying of public repositories such as,, maven-central, etc.
  • Second, there exist Hosted Repositories. These are private, locally hosted repositories which are generally used to store proprietary components.
  • Then, there are Group Repositories which allow for the aggregation of proxy and/or hosted repositories which are made available under a single repository URL.

Namespace Squatting

So, how does all of this play into organizations’ security concerns regarding their proprietary dependencies? What can arise from the exposure of private package names is Namespace Squatting. This is the practice of defining or using previously unused terms in someone else’s namespace without their permission. A bad actor with knowledge of an organization’s namespaces could take that information and publish components with company internal namespaces to public repositories. This could lead to the unintentional consumption of these bad packages, possibly making your applications and organization prone to attacks.

Repository Rules

How can you prevent something like namespace squatting from happening to your organization? This is where Repository Routing Rules come into play. With the whitelisting or blacklisting of paths, you can prevent developers from sending proprietary package requests to proxy repositories.

Shown below, you can create a repository routing rule to prevent developers from pulling a private package from a public repository. In this example, company Pied Piper uses proprietary library piedpiper-middle-out throughout their applications.

Unfortunately, this information has (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Sable Yemane. Read the original post at: